By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Network managers aren’t feeling enough pain, and as a result
they aren’t moving to DNSSEC.

Comcast Corp. announced this week that it was one of the first ISPs in North America to fully run the
DNSSEC protocol as part of its services. PayPal is one of the first enterprises to secure its
domains with DNSSEC, but it’s unlikely many other enterprises will jump at the chance of becoming
early adopters, said Lawrence Orans, research director at Stamford, Conn.-based Gartner Inc.
Gartner has predicted that by 2014 no more than 30% of DNS lookups will be verified by DNSSEC. The
risk of attack has to be high enough before adoption gains momentum, he said.

“Network managers aren’t feeling enough pain, and as a result they aren’t moving to DNSSEC,”
Orans said. “We’re just not seeing a lot of interest from enterprises.”

Nonetheless, vendors are stepping up with technology to support the transition to DNSSEC. Thales
Information Systems Security, which sells hardware security modules (HSMs), has already supported
DNSSEC for early adopters using OpenDNSSEC open source software. This week, the company announced a
partnership with Infoblox, adding support and automated features to simplify the deployment
process. ISPs, hosting providers and domain registrars are currently the target level of adopters
for DNSSEC, said Richard Moulds, vice president of product management and strategy at Thales.

More on DNSSEC deployment

“Anyone deploying DNSSEC has to make decision on what level of assurance they want,” Moulds
said. “The highest links in the chain always use a HSM. Unlike database encryption, which is
a personal decision about risk management, when we’re talking about DNS, every organization is
playing a role in that chain of trust and that’s why your obligation is to follow the best
practices.”

A company enabling DNSSEC has a choice between software or hardware approach to key management
or can turn over most of the management capabilities to a DNS service provider or domain registrar.
Thales hopes its customers, mainly financial firms, will take the leap into DNSSEC using the
hardware-based approach.

Major IT companies like Black Hat and Google spoke out against the proposed Wassenaar Arrangement rules for cybersecurity software, and those protests have caused the U.S. Dept. of Commerce to commit to drafting new rules.

News roundup: New threats add to the Tor anonymity debate as a new browser aims to take anonymous browsing to the next level. Plus: Android security outlook bad -- or is it?; another Xen host escape flaw; Wassenaar revisions put on hold.